A NEW TREE-STRUCTURE-SPECIFIED MULTISIGNATURE
SCHEME FOR A DOCUMENT CIRCULATION SYSTEM
Masaki Inamura
1,2
, Keiichi Iwamura
1
, Ryu Watanabe
3
, Makoto Nishikawa
2
and Toshiaki Tanaka
3
1
Dept. of Electrical Engineering, Tokyo University of Science, 1–14–6 Kudankita, Chiyoda-ku, Tokyo, 102–0073 Japan
2
Technology Development Center, KDDI R&D Laboratories Inc., 3–10–10 Iidabashi, Chiyoda-ku, Tokyo, 102–8460 Japan
3
KDDI R&D Laboratories Inc., 2–1–15 Ohara, Fujimino-shi, Saitama, 356–8502 Japan
Keywords:
Intranet, Collaborative software, Digital signature, Multisignature, Gap-Diffie-Hellman group, Pairing.
Abstract:
In this paper, the authors propose a new multisignature scheme with pairing-based cryptography, which can
describe the tree structure of signers. In order to denote the relationship among a parent and its child signers,
a dedicated middle key is generated on our scheme. In addition, we prove that our scheme is provably secure
under the Gap-Diffie-Hellman assumption. Based on our proposal, we also implement the prototype of a
document circulation system. In this system, a document is signed by members, who are divided into multiply
layered groups. The browsing history can be confirmed by verifying the final signature on the document. The
computational performance of the system is evaluated, and the result shows a good performance.
1 INTRODUCTION
Recently, a intranet becomes common technology and
makes it possible for users to do their work efficiently.
A information sharing system, document circulation
system for work flow and schedule board system are
examples (Digital Stamp Series). As to the docu-
ment circulation system for work flow, it is impor-
tant for managers to confirm who has already read
a document. Therefore effective method is required
for checking the state of the document. For this pur-
pose, the multisignature scheme (Itakura and Naka-
mura, 1983) is one of the promising mechanisms. Un-
der the multisignature scheme, because each member
makes a signature to an objective document sequen-
tially and all-members’ signatures are aggregated to
one signature called multisignature, a verifier can ver-
ify validity to all-members’ signatures with verifica-
tion of the only multisignature. Therefore the sign-
ing cost is minimized effectively. However, current
multisignature schemes have a problem. The cur-
rent multisignature schemes lack the function for de-
scribing of the relationship among the multisignature
members. Each member, who forms a multisignature
group has equal rights and duties for his / her sign-
ing. On the other hand, in a company, all workers are
assigned various positions, and their rights and du-
ties are also various. Therefore a new multisignature
scheme, which can denote the hierarchical relation-
ship among the members, is required.
In this paper, the authors propose a tree-structure-
specified (TSS) multisignature scheme with a pairing-
based cryptography called BLS signature (Boneh
et al., 2001). Our contributions are described as fol-
lows:
• We propose a multisignature scheme, which can
express order-specified structure of signers.
• We prove that our proposed multisignature
scheme is provably secure under the Gap-Diffie-
Hellman (GDH) assumption.
• We expand our proposed scheme as a TSS mul-
tisignature scheme.
• We apply this scheme to a document circulation
system for intranets.
We also implement a prototype and evaluate its com-
putational performance.
2 RELATED WORK
2.1 BLS Signature Scheme
Okamoto and Pointcheval defined a GDH
class (Okamoto and Pointcheval, 2001). Consider a
362
Inamura M., Iwamura K., Watanabe R., Nishikawa M. and Tanaka T..
A NEW TREE-STRUCTURE-SPECIFIED MULTISIGNATURE SCHEME FOR A DOCUMENT CIRCULATION SYSTEM.
DOI: 10.5220/0003514903620369
In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2011), pages 362-369
ISBN: 978-989-8425-71-3
Copyright
c
2011 SCITEPRESS (Science and Technology Publications, Lda.)
multiplicative cyclic group G
′
with prime order p.
They defined two problems for Diffie-Hellman (DH)
as follows:
The Computational DH (CDH) Problem:
For a, b ∈ Z
∗
p
and g ∈ G
′
, given (g, g
a
, g
b
), com-
pute g
ab
.
The Decisional DH (DDH) Problem:
For a, b, c ∈ Z
∗
p
and g ∈ G
′
, given (g, g
a
, g
b
, g
c
),
decide whether c
?
= ab.
As for the GDH class, it is defined as that the DDH
problem is easy while the CDH problem is hard.
The first example of such groups was given by
Joux and Nguyen (Joux and Nguyen, 2001; Joux
and Nguyen, 2003), and Boneh, Lynn and Shacham
showed that a new signature scheme based on the
GDH class using pairing over elliptic curves could
be structured (Boneh et al., 2001). Pairing is one of
the functions on specified elliptic curves. Consider a
group G on elliptic curves enabling pairing. Let e de-
note the symbol for pairing function. Pairing has the
following characteristics:
• For P
1
, P
2
, Q ∈ G,
then e(P
1
+ P
2
, Q) = e(P
1
, Q)e(P
2
, Q).
• For P, Q
1
, Q
2
∈ G,
then e(P, Q
1
+ Q
2
) = e(P, Q
1
)e(P, Q
2
).
• For a, b ∈ Z
∗
p
and P, Q ∈ G,
then e(aP, bQ) = e(bP, aQ) = e(abP, Q)
= e(P, abQ) = e(P, Q)
ab
.
As a result, a signature scheme based on a group
G can be structured as follows:
Key Generation: g is a generator of a group G. The
secret key of the signer is a random element
x ∈ Z
∗
p
while his public key is v = xg.
Signing: H is a one-way hash function, which out-
puts a random element in the whole group G,
e.g. MapToGroup hashing onto G
∗
(Boneh et al.,
2001). m is both a plain message and a signing
target. The signer computes h = H(m) and returns
σ = xh.
Verification: When the verifier is given g, v, m and σ,
he computes h = H(m) and verifies
e(g, σ)
?
= e(v, h).
When verifying, if a signer generates a signature
correctly, a verifier can verify this signature with a
result of pairing as follows:
e(g, σ) = e(g, xh) = e(g, h)
x
.
e(v, h) = e(xg, h) = e(g, h)
x
.
Therefore if e(g, σ) = e(v, h), then σ has been gener-
ated correctly. Furthermore it has been proved that
the above scheme is secure against chosen-message
attacks (Boneh et al., 2001). In this paper, we call
this signature scheme structured on the group G with
pairing the BLS signature scheme.
After the concrete GDH signature scheme was
proposed by Boneh et al., they, Boldyreva and Lin et
al. proposed also a prototype of the multisignature
scheme based on the BLS signature scheme (Boneh
et al., 2003; Boldyreva, 2003; Lin et al., 2003). Con-
sider a group U = {u
1
, . . . , u
n
}, which is a group of n
signers, and a subgroup L = { u
i
1
, . . . , u
i
l
} ⊆ U, which
is a group of l members really participating in a mul-
tisignature. Let J = {i
1
, . . . , i
l
} denote the set of in-
dices of such members. Then proposers showed that
we could structure the multisignature scheme based
on the BLS signature scheme as follows:
Key Generation: g is a generator of a group G. The
secret key of the signer u
i
∈ U is a random element
x
i
∈ Z
∗
p
while his public key is v
i
= x
i
g.
Signing: H is a one-way hash function, which out-
puts a random element in the whole group G. m is
both a plain message and a signing target. The
signer u
i
α
∈ L computes h = H(m) and returns
σ
i
α
= x
i
α
h.
Aggregation: The issuer of a multisignature finally
collects all σ
i
α
generated by u
i
α
, computes
σ =
∑
j∈J
σ
j
and returns (m, L, σ).
Verification: When the verifier is given g, m, L and
σ, he collects all v
i
α
by L, computes v =
∑
j∈J
v
j
and h = H(m), and verifies e(g, σ)
?
= e(v, h).
When verifying, if all signers generate a multisig-
nature correctly, a verifier can verify this signature
with a result of pairing as follows:
e(g, σ) = e(g,
∑
j∈J
σ
j
) = e(g,
∑
j∈J
x
j
h)
= e(g, h)
∑
j∈J
x
j
.
e(v, h) = e(
∑
j∈J
v
j
, h) = e(
∑
j∈J
x
j
g, h)
= e(g, h)
∑
j∈J
x
j
.
Therefore if e(g, σ) = e(v, h), then all σ
i
α
have been
generated correctly. Furthermore it has been proved
that the above scheme is secure with reduction to
the security of the BLS signature scheme (Boldyreva,
2003).
2.2 Multisignature Protocol
Considering Hierarchical Relation
Several multisignature schemes considering hierar-
chical relation have been discussed.
A NEW TREE-STRUCTURE-SPECIFIED MULTISIGNATURE SCHEME FOR A DOCUMENT CIRCULATION
SYSTEM
363
Figure 1: Difference of assuming system.
First an order-specified multisignature scheme,
which can verify in which order each of signers signs
a document, is proposed (Tada, 2003). However, this
scheme cannot distinguish each division, which sev-
eral signers belong to.
Lin et al. have proposed a concept of a hier-
archical multisignature scheme, and so they discuss
requirements for distinguishing each hierarchy (Lin
et al., 2003). However, this scheme cannot be realized
because multiplying the generator by the generator is
executed without multiplying two elements in a GDH
group.
We proposed the first realistic multisignature
scheme, which constructed a hierarchical structure of
signers (Inamura et al., 2010). In this scheme we in-
troduced middle keys on purpose to express hierarchi-
cal relation among divisions, which each signer be-
longed to, and a verification protocol using these mid-
dle keys. Therefore they succeeded in verifying how
hierarchy was. However, this scheme cannot verify
complicated structures, e.g. a tree structure. Further-
more there is the problem that the number of middle
keys increases in proportion to the depth of layers.
Therefore we cannot adapt this scheme to assuming
system, which is for a company constructed with ac-
cumulation of some divisions like a tree structure. We
show a difference between two systems in Figure 1.
3 ORDER-SPECIFIED
MULTISIGNATURE
(PREPARATION)
In this section, for a preparation to propose the TSS
multisignature, we propose a new order-specified
multisignature scheme and security proof of the
scheme.
3.1 Symbols, Preconditions and
Requirements
3.1.1 Symbols
We define symbols used in our protocol as follows:
G: A group on elliptic curves enabling pairing.
g: A generator in a group G.
e: A pairing function.
u
o
: A signer in our order-specified multisignature (o is the
number of order).
x
o
, v
o
: A private key (x
o
∈ Z
∗
p
) and a public key
(v
o
∈ G), which the signer u
o
holds.
L
o
: Order information from u
1
to u
o
.
V
o
: A middle key for verifying an order-specified multisig-
nature.
m: A plain message.
h: A one-way hash function onto G (e.g. MapToGroup).
σ
o
: A signature to m based on the BLS signature scheme.
S
o
: An order-specified multisignature from u
1
to u
o
.
3.1.2 Preconditions
In our proposal, we assume preconditions as follows:
• Our order-specified multisignature scheme is op-
erated with legal CA (Certification Authority).
• In the procedure of signing, all signers generate
L
o
, V
o
and σ
o
rightfully.
3.1.3 Requirements
Komano et al. showed that we need to define secu-
rity requirements to a multisignature scheme, which
is different from those to a standard digital signa-
ture scheme (Komano et al., 2005; Komano et al.,
2008). Therefore we define security requirements to
our scheme are followings:
(1) Order-specified Legitimacy. Although a third
party obtains all public information, the third
party cannot add/delete signers’ information,
forge data. In addition, the third party cannot
modify order in L
o
.
(2) Unforgeability. Although a third party obtains all
public information, the third party cannot gener-
ate σ
o
.
(3) Collusion-secure. A signer cannot collude with
other signer for denial of Multisignature Partici-
pation.
SECRYPT 2011 - International Conference on Security and Cryptography
364
(4) Impossibility of Deceptive Participation. A
signer cannot let a third party participate in a
multisignature without permission.
3.2 Protocol
3.2.1 Key Pair Generation
g is a generator of a group G. The secret key of the
signer u
i
is a random element x
i
(however,if i 6= j then
x
i
6= x
j
) while his public key is v
i
= x
i
g.
When the signer u
i
generates the key pair, u
i
sends
the public key to the CA. The CA generates random
value r ∈ Z
∗
p
and sends it to u
i
. u
i
signs r using the
secret key with the BLS signature scheme and sends
the signature to the CA. The CA verifies the signature
using the public key. If verification is succeeded, the
CA registers the public key.
3.2.2 Signing & Aggregation
We show the procedure of signing and aggregation as
follows:
S1. The signer u
1
in the first order computes the fol-
lowing:
h =H(m).
σ
1
=x
1
h.
S
1
=σ
1
.
L
1
={(0, u
1
)}.
V
1
=v
1
.
This signer u
1
sends the signature
set(u
1
, v
1
, σ
1
, S
1
, L
1
, V
1
) to a directly connected
signer in the second order.
S2. The signer u
2
in the second order computes the
following:
h =H(m).
σ
2
=x
2
h.
S
2
=σ
2
+ x
2
σ
1
.
L
2
=L
1
+ {(u
1
, u
2
)}.
V
2
=v
2
+ x
2
v
1
.
This signer u
2
sends the signature
set(u
2
, v
2
, σ
2
, S
2
, L
2
, V
2
) to a directly connected
signer in the third order.
S3. The signer u
o
in the oth order computes the fol-
lowing:
h =H(m).
σ
o
=x
o
h.
S
o
=S
o−1
+ (x
o
− 1)σ
o−1
+ σ
o
.
L
o
=L
o−1
+ {(u
o−1
, u
o
)}.
V
o
=V
o−1
+ (x
o
− 1)v
o−1
+ v
o
.
This signer u
o
sends the signature
set(u
o
, v
o
, σ
o
, S
o
, L
o
, V
o
) to a directly connected
signer in the (o+ 1)th order.
S4. The signer u
o
last
in the last order computes the
following:
h =H(m).
σ
o
last
=x
o
last
h.
S
o
last
=S
o
last
−1
+ (x
o
last
− 1)σ
o
last
−1
+ σ
o
last
.
L
o
last
=L
o
last
−1
+ {(u
o
last
−1
, u
o
last
)}.
V
o
last
=V
o
last
−1
+ (x
o
last
− 1)v
o
last
−1
+ v
o
last
.
This signer u
o
last
returns (S
o
last
, L
o
last
, V
o
last
) as the
order-specified multisignature set.
3.2.3 Verification
When the verifier is given the order-specified mul-
tisignature set and has a mean to obtain all signers’
public keys, he or she verifies the multisignature as
follows:
V1. The verifier collects all v
o
by L
o
last
.
V2. The verifier verifies the following:
e(g, V
o
last
)
?
= e(g, v
1
)(
o
last
∏
i=2
e(v
i−1
, v
i
)) by L
o
last
.
V3. The verifier computes h = H(m) and verifies
e(g, S
o
last
)
?
= e(V
o
last
, h).
In the above scheme, the verifier can verify the le-
gitimacy of a middle key V
o
last
generated by the signer
u
o
last
using all public key v
1
, . . . , v
o
last
. Therefore the
verifier can realize that V
o
last
is correct, and then he
can verify the Unforgeability of multisignature σ
o
last
in the same way as the BLS signature scheme.
3.3 Security Analysis
We defined security requirements to our scheme in
section 3.1.3, so we discuss security analysis for those
requirements in this section.
(1) Order-specified Legitimacy
Legitimacy of signing order depends on a numerical
formula of the middle key V
o
last
. Therefore if V
o
last
is
secure, order of signers is correct.
We can prove security of order-specified legiti-
macy as follows:
Theorem 1.
Let G be a GDH group. Then V
o
last
is secure against
forgery in the random oracle.
A NEW TREE-STRUCTURE-SPECIFIED MULTISIGNATURE SCHEME FOR A DOCUMENT CIRCULATION
SYSTEM
365
Proof of Theorem 1.
We can prove that V
o
last
is secure with reduction to the
CDH problem. Let A be a poly-time adversary for the
computingV
o
last
. We will structure the adversary B for
the CDH problem, such that
Adv
compute
V
o
last
(A) = Adv
ct-CDH
G
(B).
This means that if the CDH problem is hard then com-
puting V
o
last
is secure.
It is obvious that A succeeds in forgery whenever
B is successful. Therefore in this section, we proof
the converse as follows:
Proof in case of o
last
= 1 : V
o
last
is the same as v
o
last
.
Proof in case of o
last
= 2 : In this case, signers in
the order structure are only two signers directly
connected. B is having public keys v
1
, v
2
and ac-
cess to the random oracle. B will run A simulat-
ing the honest player. First B gives A the public
keys v
1
and v
2
as the signers’ key. x
1
and x
2
cor-
responding to the secret keys of v
1
and v
2
ought
to exist. However, the adversary cannot realize x
1
and x
2
because of the discrete logarithm problem.
B simulates A’s random oracle using its own ora-
cle. Whenever A asks the honest player to com-
pute some middle keys, B forwards the query to
its random oracle and return the reply back to A.
At some point A outputs an attempted forgery V
2
.
Then B computes x
1
x
2
g = V
2
−v
2
. It is easy to see
that B simulates A for a valid experiment, runs in
time comparable to running time of A and that it
succeeds in forgery whenever A is successful.
Proof in case of o
last
= z(z ≥ 3) : We assume that we
have proved legitimacy when the number of order
is z−1. B is having public keys v
z−1
, v
z
and access
to the random oracle. B will run A simulating the
honest player. First B gives A the public keys v
z−1
and v
z
as the signer’s key in the (z−1)th order and
in the last order. x
z−1
and x
z
corresponding to the
secret keys of v
z−1
and v
z
ought to exist. However,
the adversary cannot realize x
z−1
and v
z
because
of the discrete logarithm problem. Then A out-
puts V
z−1
. B simulates A’s random oracle using its
own oracle. Whenever A asks the honest player to
compute some middle keys, B forwards the query
to its random oracle and return the reply back to A.
At some point A outputs an attempted forgery V
z
.
Then B computes x
z−1
x
z
g = V
z
−V
z−1
+ v
z−1
− v
z
.
It is easy to see that B simulates A for a valid ex-
periment, runs in time comparable to the running
time of A and that it succeeds in forgery whenever
A is successful.
(QED)
(2) Unforgeability
An order-specified multisignature is S
o
last
in the end.
Therefore if S
o
last
is secure, generated multisignature
is correct.
We can prove security of unforgeability as fol-
lows:
Theorem 2.
Let G be a GDH group. Then S
o
last
is secure against
forgery of the multisignature set in the random oracle.
Proof of Theorem 2.
We prove that S
o
last
is secure with reduction to the BLS
signature scheme. Let A be a poly-time adversary for
signing S
o
last
. We will structure the adversary B for
the BLS signature scheme, such that
Adv
multi-sign
S
o
last
(A) = Adv
sign
the-BLS-signature
(B).
This means that if the BLS signature scheme is se-
cure (Boneh et al., 2001) then computing S
o
last
is se-
cure.
If V
o
last
is open to the public for other multisigna-
ture, it is obvious that A succeeds in forgery whenever
B is successful. Therefore in this section, we proof the
converse as follows:
B is having a public key v
o
last
and access to the ran-
dom oracle and the signing oracle. B will run A sim-
ulating the honest player. First B gives A the public
keys v
o
last
as the signer’s key in the last order. x
o
last
corresponding to the secret key of v
o
last
ought to exist.
However, the adversary cannot realize x
o
last
because
of the discrete logarithm problem. Then A outputs the
set of o
last
− 1 pairs of middle key and correspond-
ing multiplicative secret key, which ought to be com-
puted by signers (v
1
, x
1
), · · ·, (v
o
last
−1
, x
o
last
−1
), where
v
i
= x
i
g. Let the above key pairs be child signers’
directly connected with the root. B simulates A’s ran-
dom oracle using its own oracle. Whenever A asks
the honest player to participate in the order-specified
signature generation protocol on some message m, B
forwards the query to its signing oracle and return the
reply back to A. At some point A outputs an attempted
forgery S
o
last
. Then B computes
x
o
last
H(m)
= (x
o
last
−1
+ 1)
p−1
(S
o
last
− (
∑
o
last
−1
i=2
x
i−1
x
i
H(m))).
It is easy to see that B simulates A for a valid exper-
iment, runs in time comparable to running time of A
and that it succeeds in forgery whenever A is success-
ful. (QED)
SECRYPT 2011 - International Conference on Security and Cryptography
366
(3) Collusion-secure
Connection between two signers (u
o−1
and u
o
) is indi-
cated by the product of two secret keys of these sign-
ers (x
o−1
x
o
included in S
o
last
). If x
′
o−1
and x
′
o
of which
x
′
o−1
x
′
o
= x
o−1
x
o
consisted existed, u
o−1
and u
o
could
deny participating in the multisignature with intrusion
into other signers who might hold x
′
o−1
and x
′
o
.
As a countermeasure against the above, we con-
sider that each secret key is a prime number in Z
∗
p
. If
any keys is generally a prime, so x
′
o−1
and x
′
o
of which
x
′
o−1
x
′
o
= x
o−1
x
o
consists do not exist.
(4) Impossibility of Deceptive Participation
A generated multisignature is following:
S
o
last
=x
1
x
2
h+ · · · + x
o−1
x
o
h+ x
o
x
o+1
h+ . . .
+ x
o
last
−1
x
o
last
h+ x
o
last
h.
Then u
o
attempts to let u
′
o
participate in the multisig-
nature without permission in spite of nonparticipation
in the multisignature. u
o
obtains the public key v
′
o
of
u
′
o
and calculates v
d
= v
o
+ v
′
o
. If u
o
could obtain x
d
,
which was obtained with logarithmic calculation of
v
d
= x
d
g, u
o
could let u
′
o
participate in the multisigna-
ture illegally with following calculation:
S
′
o
last
=x
1
x
2
h+ · · · + x
o−1
(x
d
− x
o
)h
+ (x
d
− x
o
)x
o+1
h+ · · · + x
o
last
−1
x
o
last
h+ x
o
last
h
( = x
1
x
2
h+ · · · + x
o−1
x
′
o
h+ x
′
o
x
o+1
h+ . . .
+ x
o
last
−1
x
o
last
h+ x
o
last
h).
However, u
o
cannot obtain x
d
because of the discrete
logarithm problem, so u
o
cannot calculate the above.
4 BROWSING VERIFICATION
SYSTEM (PROPOSITION)
4.1 Protocol
Our scheme in section 3 expresses order connection
with repetition of the product of two secret keys,
which directly connected signers hold. This expres-
sion is not limited to connect one to one, but enabled
to expand into connecting one to many. Therefore we
can propose a TSS multisignature with repetition of
the connection between a parental signer and many
signers in footings of children. Furthermore we can
propose a browsing verification system of a document
for circulating using this TSS multisignature.
In this section, we explain our new browsing ver-
ification system. As a sample case we consider our
Figure 2: The outline of our system on a binary tree struc-
ture with three layers.
system on a binary tree structure with three layers in
Figure 2.
We redefine following symbols used in this binary
tree structure with three layers:
G: A group on elliptic curves enabling pairing.
g: A generator in a group G.
e: A pairing function.
u
t
: A top manager at the root of the tree structure.
u
i,o
i
: Middle managers in the inner of the tree structure (o
i
is the identity number in the inner of the tree structure).
u
b,o
b
: Laborers in the leaf of the tree structure (o
b
is the
identity number in the leaf of the tree structure).
x
t
, v
t
: A private key and a public key, which top manager
u
t
holds.
x
i,o
i
, v
i,o
i
: A private key and a public key, which a middle
manager u
i,o
i
holds.
x
b,o
b
, v
b,o
b
: A private key and a public key, which a laborer
u
b,o
b
holds.
L
t
: Structured information from laborers to the top man-
ager.
L
i,o
i
: Structured information from laborers to a middle
manager u
i,o
i
.
L
b,o
b
: Information only a laborer u
b,o
b
.
V
t
: A middle key for verifying a TSS multisignature.
V
i,o
i
, V
b,o
b
: A sub-middle key for generating V
t
.
m: A plain message in document for circulating.
h: A one-way hash function onto G (e.g. MapToGroup).
σ
i,o
i
, σ
b,o
b
: A signature to m of u
i,o
i
or u
b,o
b
based on the
BLS signature scheme.
S
t
: A TSS multisignature.
S
i,o
i
, S
b,o
b
: A sub TSS multisignature for generating S.
The procedure for key pair generation is the same
as the procedure in section 3.2. Therefore we omit the
procedure for key pair generation.
A NEW TREE-STRUCTURE-SPECIFIED MULTISIGNATURE SCHEME FOR A DOCUMENT CIRCULATION
SYSTEM
367
4.1.1 Signing & Aggregation
We show the procedure of signing and aggregation as
follows:
ST1. After the laborer u
b,1
browses the message m,
this laborer computes the following:
h =H(m).
σ
b,1
=x
b,1
h.
S
b,1
=σ
b,1
.
L
b,1
={(0
†
, u
b,1
)}.
†
0 means that u
b,1
is at the leaf.
V
b,1
=v
b,1
.
This laborer u
b,1
sends the signature
set(u
b,1
, v
b,1
, σ
b,1
, S
b,1
, L
b,1
, V
b,1
) to a directly
connected middle manager u
i,1
. Other laborers
u
b,o
b
(2 ≤ o
b
≤ 4) also execute the above proce-
dure after they browse the message m and sends
(u
b,o
b
, v
b,o
b
, σ
b,o
b
, S
b,o
b
, L
b,o
b
, V
b,o
b
) to a middle
manager (if o
b
= 2, then to u
i,1
, else to u
i,2
).
ST2. After the middle manager u
i,1
browses the mes-
sage m, this middle manager computes the follow-
ing:
h =H(m).
σ
i,1
=x
i,1
h.
S
i,1
=S
b,1
+ S
b,2
+ (x
i,1
− 1)σ
b,1
+ (x
i,1
− 1)σ
b,2
+ σ
i,1
.
L
b,1
=L
b,1
+ L
b,2
+ {(u
b,1
, u
i,1
) + {(u
b,2
, u
i,1
)}.
V
i,1
=V
b,1
+V
b,2
+ (x
i,1
− 1)v
b,1
+ (x
i,1
− 1)v
b,2
+ v
i,1
.
This middle manager u
i,1
sends the signature
set(u
i,1
, v
i,1
, σ
i,1
, S
i,1
, L
i,1
, V
i,1
) to the top manager
u
t
. Another middle manager u
i,2
also executes the
above procedure after they browse the message m
and sends
(u
i,2
, v
i,2
, σ
i,2
, S
i,2
, L
i,2
, V
i,2
) to u
t
.
ST3. After the top manager u
t
browses the message
m, this top manager computes the following:
h =H(m).
σ
t
=x
t
h.
S
t
=S
i,1
+ S
i,2
+ (x
t
− 1)σ
i,1
+ (x
t
− 1)σ
i,2
+ σ
t
.
L
t
=L
i,1
+ L
i,2
+ {(u
i,1
, u
t
) + {(u
i,2
, u
t
)}.
V
t
=V
i,1
+V
i,2
+ (x
t
− 1)v
i,1
+ (x
t
− 1)v
i,2
+ v
t
.
The top manager u
t
returns (S
t
, L
t
, V
t
) as the TSS
multisignature set.
Figure 3: A binary tree structure in simulation program.
4.1.2 Verification
When the verifier, e.g. the administrator who let a
document circulated, is given the TSS multisignature
set and has a mean to obtain public keys of all mem-
bers who have browsed a message, he or she verifies
the multisignature as follows:
VT1. The verifier collects all v
t
, v
i,o
i
, v
b,o
b
by L
t
.
VT2. The verifier verifies the following:
e(g, V
t
)
?
=(
2
∏
j=1
e(v
b, j
, v
i,1
)) · (
4
∏
k=3
e(v
b,k
, v
i,2
))
· (
2
∏
n=1
e(v
i,n
, v
t
)) · e(g, v
t
) by L
t
.
VT3. The verifier computes h = H(m) and verifies
e(g, σ
t
)
?
= e(V
t
, h).
The above procedure has three following
specifics:
• A numerical formula of the TSS multisignature
is the same composition as that of the order-
specified multisignature. Therefore we can ex-
plain security analysis of the TSS multisignature
scheme with the same analysis in section 3.3.
• Our scheme generates the multisignature with
repetition of the product of two secret keys, which
directly connected managers or laborers hold.
Therefore our scheme is suitable for any type of
tree structure.
• Because of expansion of order-specified multisig-
nature scheme, signing order is fixed. Therefore
the verifier can know that a supervisor is sure to
verify whether his or her directly connected sub-
ordinates browse a message or not.
As a result of the above procedure, the verifier can
securely verify not only who browses this message
but also in which order each of members circulates
the document.
4.2 Performance Evaluation
We made the simulation program under the protocol
in section 4.1 on a binary tree structure with 511 sign-
SECRYPT 2011 - International Conference on Security and Cryptography
368
Table 1: Result of the running time on the simulation.
Signing at each signer. Verification by verifier.
Max 0.125[sec] 3.838[sec]
ers cited in Figure 3 and measured the average run-
ning time for signing and verification on this program.
The specifications of the computer used for the
simulation and of the security functions/parameters
are the following:
Computer:
CPU: Intel Core i7 870.
Memory Size: 3.24GB.
OS: Microsoft Windows7 Ultimate (32bits).
Language: Microsoft Visual C++ 2008.
Security Functions/Parameters:
Pairing Function: Tate Pairing (e(P, Q):The size of P
is 20[Byte], The size of Q is 241[Byte]).
Hash Function: MapToGroup with SHA-256.
We show results of the running time for signing at
the leaf, the inner and the root and for verification on
the simulation program in Table 1.
Running time for signing at each signer is 0.125
seconds at the most. We have realized that the running
time of addition is much less than that of scalar multi-
plication over an elliptic curve, and so multiplication
dominates the running time of signing. Each signer
computes two times multiplication, namely computa-
tion of a middle key and a middle signature. There-
fore we suppose that signing time of each signer is
almost constant.
On the other hand, the running time of verifica-
tion is 3.838 seconds. When verification, the verifier
needs to computes plural pairing function in propor-
tion to the number of signers. Therefore the more the
number of signers participating multisignature is, the
more the calculation costs are. However, a result of
this simulation shows that our system is realistic.
5 CONCLUSIONS
We proposed the order-specified multisignature
scheme based on the BLS signature scheme and
proved the security of our scheme with the random
oracle. In addition, we expanded our order-specified
multisignature scheme into the TSS multisignature
scheme and adapted this scheme to the browsing ver-
ification system of a document for circulating.
REFERENCES
Digital Stamp Series.
http://www.shachihata.co.jp/interweb/index.php.
Boldyreva, A. (2003). Threshold signatures, multisigna-
tures and blind signatures based on the gap-diffie-
hellman-group signature scheme. In Public Key Cryp-
tography - PKC 2003, LNCS, volume 2567, pages 31–
46. Springer-Verlag.
Boneh, D., Gentry, C., Lynn, B., and Shacham, H. (2003).
Aggregate and verifiably encrypted signatures from
bilinear maps. In Advances in Cryptology - EURO-
CRYPT 2003, LNCS, volume 2656, pages 416–432.
Springer-Verlag.
Boneh, D., Lynn, B., and Shacham, H. (2001). Short signa-
tures from the weil pairing. In Advances in Cryptology
- ASIACRYPT 2001, LNCS, volume 2248, pages 514–
532. Springer-Verlag.
Inamura, M., Watanabe, R., and Tanaka, T. (2010). Pro-
posal and evaluation of a hierarchical multisignature
adapted to browsing verification of a document for
circulating. IEICE Trans. on Communications, J93-
B(10):1378–1387.
Itakura, K. and Nakamura, K. (1983). A public-key cryp-
tosystem suitable for digital multisignatures. NEC Re-
search& Development, 71:1–8.
Joux, A. and Nguyen, K. (2001). Separating decision diffie-
hellman from diffie-hellman in cryptographic groups.
Cryptology ePrint Archive, Report 2001/003.
Joux, A. and Nguyen, K. (2003). Separating decision diffie-
hellman from computational diffie-hellman in crypto-
graphic groups. Springer J. of Cryptology, 16(4):239–
247.
Komano, Y., Ohta, K., Shimbo, A., and Kawamura, S.
(2005). On the security of probabilistic multisigna-
ture schemes and their optimality. In Cryptology in
Malaysia - Mycrypt 2005, LNCS, volume 3715, pages
132–150. Springer-Verlag.
Komano, Y., Ohta, K., Shimbo, A., and Kawamura, S.
(2008). Provably secure multisignatures in formal se-
curity model and their optimality. IEICE Trans. on
Fundamentals of Electronics, Communications and
Computer Sciences, E91-A(1):107–118.
Lin, C. Y., Wu, T. C., and Zhang, F. (2003). A structured
multisignature scheme from the gap diffie-hellman
group. Cryptology ePrint Archive, Report 2003/090.
Okamoto, T. and Pointcheval, D. (2001). The gap-
problems: A new class of problems for the security
of cryptographic schemes. In Public Key Cryptogra-
phy - PKC 2001, LNCS, volume 1992, pages 104–118.
Springer-Verlag.
Tada, M. (2003). A secure multisignature scheme withsign-
ing order verifiability. IEICE Trans. on Fundamentals
of Electronics, Communications and Computer Sci-
ences, E86-A(1):73–88.
A NEW TREE-STRUCTURE-SPECIFIED MULTISIGNATURE SCHEME FOR A DOCUMENT CIRCULATION
SYSTEM
369
